← Back to tools

JWT Decoder

Paste a JSON Web Token to decode header, payload, and inspect claims. 100% client-side.

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64-encoded parts separated by dots: header.payload.signature. JWTs are the standard for modern API authentication, single sign-on (SSO), and OAuth 2.0 flows.

The header specifies the token type and signing algorithm (typically HS256 or RS256). The payload contains claims — data like user ID, email, roles, and expiration time. The signature verifies that the token hasn't been tampered with.

Important: JWTs are encoded, not encrypted. Anyone can decode the payload — the signature only prevents modification. Never put sensitive data (passwords, secrets) in a JWT payload. This tool decodes the header and payload, shows the expiration status, and formats the JSON for easy reading — all client-side so your tokens stay private.

This tool in other languages:

Français:
Décodeur JWT

Español:
Decodificador JWT

Deutsch:
JWT-Decoder

Português:
Decodificador JWT

日本語:
JWTデコーダー

中文:
JWT 解码器

한국어:
JWT 디코더

العربية:
فك تشفير JWT

Frequently asked questions

How do I decode a JWT token online?

Paste the JWT (header.payload.signature) into the input box. The tool instantly splits it into three parts and Base64-decodes the header and payload, showing the algorithm, claims, expiry, and any custom fields. Everything happens in your browser.

Is it safe to paste a JWT into an online decoder?

With DeskTools, yes — decoding is 100% client-side, so the token never leaves your browser. But remember: a JWT you paste anywhere online should be treated as compromised for production use. For debugging, use expired or test tokens when possible.

What do the JWT claims like iat, exp, and sub mean?

iat = issued at (Unix timestamp when the token was created). exp = expiry time. sub = subject (usually the user ID). iss = issuer. aud = audience. These are standard claims defined in RFC 7519, but any JWT can add custom claims for roles, permissions, etc.

Can this tool verify a JWT signature?

No — signature verification requires the secret or public key, and doing that in a browser would mean the key is exposed. This tool decodes the readable parts (header and payload) only. For signature verification, use your backend's JWT library.

Why is my JWT payload encoded as Base64 if it's not encrypted?

JWTs use Base64URL encoding to make the token URL-safe and compact — not for secrecy. Anyone can decode the payload (like you're doing now). The signature is what prevents tampering. If you need confidentiality, use JWE (encrypted JWT) instead of JWS (signed JWT).

How do I check if a JWT has expired?

After decoding, look at the exp claim in the payload — it's a Unix timestamp. Compare it to the current time (or use the Timestamp Converter to read it as a date). If it's in the past, the token is expired.